Hi Danny,

I created a one-liner that shows the VPN routing.

If you like, you can include this command in your script.

Show VPN Routing on CLI 

Regards,

Heiko

I'm running R80.20EA in my lab and noticed the same thing. I made the following adjustment to the ccc script.

Updated:

# System info

  TYPE=`cpstat os | grep "Appliance Name" | tr -s ' ' | cut -c 17-`
  if     [[ `echo $MDSDIR | grep mds` ]]; then SYSTEM="Multi-Domain Server (MDS)"
    elif [[ `$CPDIR/bin/cpprod_util FwIsVSX 2> /dev/null` == *"1"* ]]; then SYSTEM="Virtual System Extension (VSX)"
    elif [[ `$CPDIR/bin/cpprod_util FwIsStandAlone 2> /dev/null` == *"1"* ]]; then SYSTEM="Standalone Firewall & Management"
    elif [[ `cpstat -f all ha | grep "HA started:" | tr -s ' '` == "HA started: yes"  ]]; then MODE=`cpstat -f all ha | grep "Working mode:" | tr -s ' ' | cut -c 15,20`; STAT=`cpstat -f all ha | grep "HA state:" | tr -s ' ' | cut -c
11-`; STAT="$(tr '[:lower:]' '[:upper:]' <<< ${STAT:0:1})${STAT:1}"; SYSTEM="Firewall Cluster Node (${MODE}) - ${STAT}"
    elif [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2> /dev/null` == *"1"*  ]]; then SYSTEM="Firewall Gateway"
    elif [[ `$CPDIR/bin/cpprod_util FwIsFirewallMgmt 2> /dev/null` == *"1"*  ]] && [[ `cpwd_admin list | grep -o CPSEMD` == "CPSEMD"  ]];  then SYSTEM="Firewall Management (with Smart Event)"
    elif [[ `$CPDIR/bin/cpprod_util FwIsFirewallMgmt 2> /dev/null` == *"1"*  ]]; then SYSTEM="Firewall Management"
    elif [[ `cpwd_admin list | grep CPSEMD | cut -c 1-6` == "CPSEMD"  ]]; then SYSTEM="SmartEvent Server"
    else SYSTEM="N/A"
  fi

zcat: unexpected end of file

Below is the process  that I did 

STEP 01 : Download the script  (ccc.gz)

STEP 02: Transfer the file to /usr/bin/   (Using WinScp)

STEP 04: Now decompress the file (zcat /usr/bin/ccc.gz > /usr/bin/ccc)

STEP 04: Now make it executable (chmod +x ccc) (chmod +x /usr/bin/ccc)

STEP 05: Now type ccc

NOTE : I am able to execute all the command but why i am getting  "zcat: unexpected end of file" error while executing (ccc). 

#Chinmaya Naik

Added in version 2.6

Included your adjustment in version 2.6. Thanks!

How about adding "pdp connections pep" next to the other IA-commands?

Thanks,

Hans

Nice tool.

Unfortunately now we have two different Tools (sk121447) to check health state and troubleshoot the System.

I would suggest to add "fwaccel off" and "fwaccel on" when doing "ips off"

Further I would add the same for QoS:
fgate stat

fgate off

fgate on

same with fwaccel off/on

a command to show "fwkern.con" and "simkern.conf" could help, too.

I would be interested in what "PANIC MODE" and "NORMALE MODE" are doing. so perhaps add here and there some Information about the commands you use.

And - I did not test it - but perhaps add a user check before performing such Actions to make sure noone unexpectedly uses these commands.

When performing one Task of your script the Cursor is at the end of the Output but simetime you do not know if it has finished or not. so add a line "Task finished" or something similar at the end of every Task execution.

So really nice and helpful script. Go on with this good work!

Regards

Added in version 2.7

Added in version 2.7

If you like, then you can include Show bgp peers across VSX in CLI‌ as well.

Hi Danny,

Wonderful tool !

May I sugguest the command "cpqshape" ? Quite helpful when debugging MTA

Regards

Benoit

Added "cpqshape" commands as described in ATRG: Mail Transfer Agent (MTA) in version 2.9

Can i use it on R77.30?

Yes.

This should be natively included

I agree. You could send Check Point a Request for Enhancement (RFE) asking for this. Maybe someday Check Point will have the best Community scripts included by default.

Hmmm - R80.20 B10:
[Expert@SMS8010:0]# ccc
Starting/bin/ccc: line 21: bind: warning: line editing not enabled
.........free: invalid option -- 'o'

Usage:
 free [options]

Options:
 -b, --bytes         show output in bytes
 -k, --kilo          show output in kilobytes
 -m, --mega          show output in megabytes
 -g, --giga          show output in gigabytes
     --tera          show output in terabytes
 -h, --human         show human-readable output
     --si            use powers of 1000 not 1024
 -l, --lohi          show detailed low and high memory statistics
 -t, --total         show total for RAM + swap
 -s N, --seconds N   repeat printing every N seconds
 -c N, --count N     repeat printing N times, then exit
 -w, --wide          wide output

     --help     display this help and exit
 -V, --version  output version information and exit

For more details see free(1).
..
--------------------------------------------- ccc v3.0 -

On the GW of the same version all is good:

[Expert@GW_80.10:0]# ccc
Starting................
--------------------------------------------- ccc v3.0 -

Fixed in version 3.1

Yes:
[Expert@SMS8010:0]# ccc
Starting/usr/bin/ccc: line 21: bind: warning: line editing not enabled
...........
------------------------------------------------ ccc v3.1 -

Great work Danny Jung !

@Checkpoint - give this man a medal !

Whilst deploying the script to our devices and executing on version R77.30 , we had to change the script a little to get the correct Hotfix.

For some devices the 77.30 hotfix output is not correct when for example the CPUSE wasn't updated before installation of HFA - there is no installed_jumbo_take command. ( sk115719)

Have an extra request -> is it possible to build in a fool proof protection for critical commands like "CPSTOP" ?

Just to be sure ... - asking confirmation when running a critical command is not going to hurt anybody .

Then some additional info (bold text ) i added to the startup screen, to get a complete overview on the first screen - so administration is made a little easier .

And that gives me this output atm :

--------------------------------------------- ccc v3.0 -
Hostname
--------------------------------------------------------
System Firewall Gateway
Type Check Point 2200
Serial Number 1111B1111
Version Check Point Gaia R77.30 JHF (Take 185)
CPUSE Build 1130
CPU 2 Cores | SMT: - | Load: 0.25%
RAM 2 GB (Free: 0 GB) | Swapping: 0 GB
SecureXL On | Multi-Queue Interfaces: -
CoreXL On (2 Cores) | Dynamic Dispatcher: Off
Uptime 80 days
--------------------------------------------------------
Managed by Some_Management (IP: 192.169.1.1)
--------------------------------------------------------
Policy Some_Policy_Name
Installed   Aug 21 2018 - 09:48:02
--------------------------------------------------------
Blades FW, VPN
--------------------------------------------------------

Mac Address 00:11:FF:FF:FF:FF
--------------------------------------------------------

I used following commands to collect the data :

• Added Serial number info
  SERIAL=`clish -c "show asset system" | grep "Serial Number:" | head -1 | cut -d ":" -f2 | sed 's/ //g'`;

• Changed JHF command
  JUMBO=`cat $CPDIR/registry/HKLM_registry.data | grep Check_Point | grep -o -E '[0-9]+' | tail -1`; [ "$JUMBO" == '' ] && JUMBO="-"

        (Command not tested yet for R80 , maybe we need to use the buildin OS verifier to check what command to use , but need more time ... )

• Added CPUSE build info - easy to verify builds on all gateways
  CPUSE=`cpvinfo $DADIR/bin/DAService | grep -iE "Build|Minor" | grep -o -E '[0-9]+' | head -1`;

• Changed RAM info - gives now the correct number of Memory installed in GB
  RAM=`dmidecode -t memory | grep  Size: | grep -v "No Module Installed" | awk '{sum+=$2/1024}END{print sum}'`;

• Added Policy installation date -  
  PINST=`cpstat fw | grep "Install time" | awk '{print $4" "$5" "$7" - "$6}'`; echo -n .

• Added Mgmt Mac Address 
  MAC=`clish -c "show interface Mgmt" | grep "mac-addr" | awk '{print $2}'`;

Still need more more info when it's a VSX, come back on this later .

Regards,

Rolf

Idea to add check for PSU status and RAID status ?

Added and improved in version 3.2, though I moved the CPUSE build info to the Firewall Management & Gateway submenu.

Added in version 3.2

Any command to disable App/URL filter blade(like ips off) in Gateway..

I'm not aware of any command to control Application Control / URL Filtering at the CLI. It should however be possible to change the setting for this Software Blade via dbedit and have the security policy reinstalled to the specific gateway afterwards.